search

MAECProject / schemas

MAEC Schemas and Schema Development
83 stars 16 forks source link

Add Ability to Capture Beaconing/C2 Domains and Infrastructure #101

Open ikiril01 opened 9 years ago

ikiril01 commented 9 years ago

We should add the ability to capture the beaconing/callout/C2 Domains used by a malware instance, either as part of a Capability or a separate structure.

ikiril01 commented 9 years ago

I'm wondering if this should also include other useful snippets of network traffic, such as HTTP user agents?

ikiril01 commented 9 years ago

An important aspect of this is capturing information about network infrastructure associated with operationalizing and delivering the malware instance. This would likely involve:

Update: it would also be useful to capture the nature or type of server being used, e.g.,

ikiril01 commented 9 years ago

For C2 and Exfiltration entities, it may make the most sense to define this as a structured Capability property that references existing Objects (such those originating from Actions).

For example,

<Object id="object-1">
    <Properties xsi:type="AddressObj:AddressObjectType"/>
       <Address_Value>10.0.0.0</Address_Value>
    </Properties>
</Object>

<Object id="object-2">
    <Properties xsi:type="DomainNameObj:DomainNameObjectType"/>
       <Value>asdffsdgh.info</Value>
    </Properties>
</Object>

<Capability name="command and control" id="capability-1">
    <Property>
      <Name xsi:type="C2PropertiesVocab">C2 server</Name>
      <Object_Reference object_id="object-1"/>
    </Property>
</Capability>

<Capability name="data exfiltration" id="capability-2">
    <Property>
      <Name xsi:type="C2PropertiesVocab">exfiltration server</Name>
      <Object_Reference object_id="object-2"/>
    </Property>
</Capability>

As far as other entities related to malware distribution/origination network infrastructure, I'm wondering if this is more aligned with malware field data (which we already capture to some extent, though it will be refactored per #95), and thus should be captured there? E.g.,

<Object id="object-3">
    <Properties xsi:type="AddressObj:AddressObjectType"/>
       <Address_Value>10.1.2.3</Address_Value>
    </Properties>
</Object>

<Malware_Subject id="malware-subject-1">
    <Field_Data>
      <Distribution_Site object_id="object-3"/>
    </Field_Data>
</Malware_Subject>